Methods and apparatus for application isolation

US 9,602,524 B2
Filed: 07/24/2015
Issued: 03/21/2017
Est. Priority Date: 09/12/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory including a shared persistent directory; and

a hardware processor communicatively coupled to the memory, the hardware processor configured to execute a virtual machine monitor at least partially stored in the memory, the virtual machine monitor configured to provide hardware level virtualization as a first layer of isolation for an application,the hardware processor configured to execute a virtual environment using the virtual machine monitor, the virtual environment configured to operate under control of an operating system operating within a virtual machine defined by the virtual machine monitor, the virtual environment configured to provide operating system level virtualization as a second layer of isolation for the application, the second layer of isolation operating within the first layer of isolation,the hardware processor configured to execute the application within the virtual environment, the shared persistent directory configured to operate within the first layer of isolation, access to data associated with a host operating system by the virtual environment being restricted to the shared persistent directory,the hardware processor configured to monitor behavior of the application within the virtual environment, the hardware processor configured to discard the virtual environment in response to detecting unauthorized activity of the application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

156 Citations

15 Claims

1. An apparatus, comprising:
- a memory including a shared persistent directory; and
  
  a hardware processor communicatively coupled to the memory, the hardware processor configured to execute a virtual machine monitor at least partially stored in the memory, the virtual machine monitor configured to provide hardware level virtualization as a first layer of isolation for an application,the hardware processor configured to execute a virtual environment using the virtual machine monitor, the virtual environment configured to operate under control of an operating system operating within a virtual machine defined by the virtual machine monitor, the virtual environment configured to provide operating system level virtualization as a second layer of isolation for the application, the second layer of isolation operating within the first layer of isolation,the hardware processor configured to execute the application within the virtual environment, the shared persistent directory configured to operate within the first layer of isolation, access to data associated with a host operating system by the virtual environment being restricted to the shared persistent directory,the hardware processor configured to monitor behavior of the application within the virtual environment, the hardware processor configured to discard the virtual environment in response to detecting unauthorized activity of the application.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1, wherein the operating system operating within the virtual machine is a guest operating system, the hardware processor configured to execute the virtual machine monitor under control of the host operating system.
  - 3. The apparatus of claim 1, wherein the virtual environment is configured to operate in a protected memory space of the memory.
  - 4. The apparatus of claim 1, wherein the virtual environment is from a plurality of virtual environments configured to operate under control of the operating system operating within the virtual machine.

5. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- initiate a virtual container to execute an application, the virtual container providing a layer of operating system level virtualization executed within a layer of hardware level virtualization, the application being isolated from a host operating system by the layer of operating system level virtualization and the layer of hardware level virtualization, access to data associated with the host operating system by the virtual container is restricted to a shared persistent directory configured to operate within the layer of hardware level virtualization;
  
  monitor behavior of the application within the virtual container;
  
  detect, based on the monitoring, an unauthorized activity of the application; and
  
  discard the virtual container in response to detecting the unauthorized activity.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The non-transitory processor-readable medium of claim 5, wherein the layer of hardware level virtualization is implemented by a virtual machine including a guest operating system.
  - 7. The non-transitory processor-readable medium of claim 5, wherein the unauthorized activity includes at least one of an unauthorized change to a non-modifiable section of the virtual container, a registry write, a start of a new process, corruption to an existing process, a web site visited, a redirected Uniform Resource Locator (URL), an infection detail, an event timeline, a network connection, a file system write, or a configuration change.
  - 8. The non-transitory processor-readable medium of claim 5, wherein the layer of hardware level virtualization is controlled by a virtual machine monitor executing on the host operating system.
  - 9. The non-transitory processor-readable medium of claim 5, wherein the virtual container is configured to operate in a protected memory space.
  - 10. The non-transitory processor-readable medium of claim 5, wherein the virtual container is from a plurality of virtual containers configured to operate within the layer of hardware level virtualization.

11. An apparatus, comprising:
- a memory including a shared persistent directory; and
  
  a hardware processor communicatively coupled to the memory, the hardware processor configured to execute;
  
  a virtual machine to define a layer of hardware level virtualization,a virtual container within the virtual machine to define a layer of operating system level virtualization within the layer of hardware level virtualization, andan application within the virtual container,the shared persistent directory configured to operate within the layer of hardware level virtualization, access to data associated with a host operating system by the virtual container is restricted to the shared persistent directory,the hardware processor is configured to monitor behavior of the application within the virtual container, the hardware processor configured to discard the virtual container in response to detecting unauthorized activity of the application.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the hardware processor is configured to execute a virtual machine monitor under control of the host operating system, the virtual machine monitor configured to define the virtual machine,the hardware processor configured to execute a guest operating system within the virtual machine, the guest operating system configured to control the virtual container.
  - 13. The apparatus of claim 11, wherein the virtual container is configured to operate in a protected memory space of the memory.
  - 14. The apparatus of claim 11, wherein the virtual container is a first virtual container, the hardware processor configured to execute an application within a second virtual container.
  - 15. The apparatus of claim 11, wherein the virtual container is from a plurality of virtual containers configured to operate within the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Research Foundation Inc.
Original Assignee
George Mason Research Foundation Inc.
Inventors
Ghosh, Anup, Huang, Yih, Wang, Jiang, Stavrou, Angelos
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/808,681
Publication Number

US 20160182540A1
Time in Patent Office

606 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45545   Guest-host, i.e. hypervisor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Methods and apparatus for application isolation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for application isolation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links